Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management Using MIS 4e Chapter 12.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Management Using MIS 4e Chapter 12."— Presentation transcript:

1 Information Security Management Using MIS 4e Chapter 12

2 Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2021? Study Questions Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-2

3  Human error and mistakes  Malicious human activity  Natural events and disasters. Security threats arise from three sources: Q1: What Are the Threats to Information Security? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-3

4 Accidental problems caused by both employees and nonemployees  Employee misunderstands operating procedures and accidentally deletes customer records  Employee, while backing up a database, inadvertently installs an old database on top of current one Poorly written application programs and poorly designed procedures Physical accidents, such as driving a forklift through computer room wall Human errors & mistakes Human Errors and Mistakes Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-4

5 Employees and former employees who intentionally destroy data or other system components Hackers who break into a system; virus and worm writers who infect computer systems Outside criminals who break into a system to steal for financial gain Terrorism Malicious Human Activity Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-5

6 Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature Includes initial loss of capability and service, and losses stemming from actions to recover Natural Events and Disasters Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-6

7 What Are the Types of Security Problems? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-7

8 Safeguards Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-8

9 Q2: What Technical Safeguards Are Available? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-9

10 Password Smart card Biometric Authentication methods Microchip embedded with identifying data Authentication by PIN Smart cards Fingerprints, face scans, retina scans See http://searchsecurity.techtarget.comsearchsecurity.techtarget.com Biometric authentication Authenticate to network and other servers Single sign-on for multiple systems Identification and Authentication Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-10

11 Operating system authenticates you to networks and other servers. You sign on to your local computer and provide authentication data; from that point on, operating system authenticates you to other networks or servers. KerberosKerberos—a system protocol that authenticates users without sending passwords across computer network.  Uses complicated system of “tickets” to enable users to obtain services from networks and other servers. Windows, Linux, Unix, and other operating systems employ kerberos to authenticate user requests across networks of computers using a mixture of operating systems Always protect your passwords! Single Sign-on for Multiple Systems Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-11

12 Walk or drive around business or residential area with a wireless computer and locate dozens, or even hundreds, of wireless networks. Drive-by sniffers Sophisticated communications equipment use elaborate techniques that require support of highly trained communications specialists. VPNs and special security servers Developed a wireless security standard called Wired Equivalent Privacy (WEP). Unfortunately, WEP has serious flaws. Wired Equivalent Privacy (WEP) IEEE 802.11 Committee Developed and improved wireless security standards that newer wireless devices use. Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA) and WPA2WPA2 Wireless Access Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-12

13 Encryption Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-13

14 Essence of HTTPS (SSL or TLS) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-14

15 Most messages, such as email, are sent over Internet as plaintext. “Please deliver shipment 1000 to our Oakdale facility.” It is possible for a third party to intercept email, remove “our Oakdale facility” and substitute its own address, and send message on to its destination. Digital signaturesDigital signatures are a technique for ensuring plaintext messages are received without alteration. Plaintext message is first hashed. (Hashing is a method of mathematically creating a string of bits (message digest) that characterize the message). One popular standard, message digests are 160 bits long.message digest Digital Signatures Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-15

16 Using Digital Signatures Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-16

17 Browser requests public key for Bank of America CA responds with a digital certificate Digital Certificates: How Does Receiver Obtain True Party’s Public Key? Certificate authoritiesCertificate authorities (CAs)—trusted, independent third-party companies supply public keys Digital certificate is plaintext, can be intercepted and someone substitutes its own public key for BOA. To prevent that, CA signs digital certificate with its digital signature. “Bank of America” (key) (CA key) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-17

18 Computing device that prevents unauthorized network access May be special-purpose computer or program on a general- purpose computer Organizations may have multiple firewalls Perimeter firewalls outside network Internal firewalls inside network Packet-filtering firewalls examine each part of a messagePacket-filtering firewalls May filter both incoming and outgoing messages Encoded rules stating IP addresses allowed into or out of network Do not connect to the Internet without firewall protection Firewalls Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-18

19 Malware Protection TypeProblems MalwareViruses, worms, Trojan horses, spyware, and adware Virus Computer program that replicates itself; take unwanted and harmful actions. Macro virus Attach themselves to word, excel, or other types of document; virus infects every file that the application creates or processes Worm Virus that propagates using the Internet or other computer network; can choke a network Spyware Some capture keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses. AdwareCan slow computer performance Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-19

20 Symptoms of Adware and Spyware Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-20

21 Install antivirus and antispyware programs on your computer Set up your anti-malware programs to scan your computer frequently Update malware definitions Open email attachments only from known sources Promptly install software updates from legitimate sources Browse only in reputable Internet neighborhoods Malware Safeguards Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-21

22 Computer program surreptitiously installed and takes actions unknown and uncontrolled by computer’s owner or administrator Some steal credit card data, banking data, and e-mail addresses; cause denial-of-service attacks; pop-ups Bot Network of bots created and managed by individual or Organization Botnet Organization that controls the botnet Botnets and bot herders Bot herder Bots, Botnets, and Bot Herders Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-22

23 AOL and the National Cyber Security Alliance Malware Study QuestionUser ResponseActual Do you have a virus on your computer? Yes: 6% Did not know: 50% 18% Average (maximum) number on infected computer 2.4 (213) How often do you update your antivirus software? Last week: 71% Last month: 2% More than 6 mos.: 12% Last week: 33% Last month 34% More than 6 mos.: 12% Do you think you have adware or spyware on your computer? Yes: 53%Yes: 80% Average (maximum) number of spyware/adware found on computer 93 (1,059) Did you give permission to install these on your computer? Yes: 5% No: 95% Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-23

24 Phishing Examples Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-24

25 You should ensure that any information system developed for you and your department includes security as a requirement Design Secure Applications Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-25

26 Q4: What Data Safeguards Are Available? Data Safeguards Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-26

27 Least privilege possible Position Definitions Extensive interviews and background checks for high-sensitivity positions Hiring and Screening Employees Make employees aware of security policies and procedures Dissemination and Enforcement Establish security policies and procedures for employee termination. HR dept. giving IS early notification Termination Q5: What Human Safeguards Are Available? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-27

28 Security Policy for In-House Staff Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-28

29 Temporary personnel, vendors, business partner personnel, and public Provide accounts and passwords with least privilege and remove accounts as soon as possible Nonemployee personnel Require vendors and partners to perform appropriate screening and security training Specify security responsibilities particular to work Contract Hardening site to reduce a system’s vulnerability Use special versions of operating system, lock down or eliminate operating systems features and functions not required Public safeguard Human Safeguards for Nonemployee Personnel Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-29

30 1.Senior-management involvement 2.Safeguards of various kinds 3.Incident response Components of a Security Program 1.Establish security policy to set stage for organization’s response to security threats. 2.Manage risk by balancing costs and benefits of security program Critical Security Functions for Senior- Management What Are the Components of an Organization’s Security Program? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-30

31 Administration of user accounts, passwords, and help-desk policies and procedures Creation of new user accounts, modification of existing account permissions, removal of unneeded accounts Improve your relationship with IS personnel by providing early and timely notification of need for account changes Account Management Users should change passwords every 3 months or perhaps more frequently Password Management Account Administration Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-31

32 User signs statement like this National Institute of Standards and Technology (NIST) Recommendation Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-32

33 User’s birthplace, mother’s maiden name, or last four digits of an important account number Means of authenticating a user If you ever receive notification that your password was reset when you did not request such a reset, immediately contact IS security. Someone has compromised your account. Help Desk Policies Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-33

34 Systems Procedures Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-34

35 Q2:What Is Senior Management’s Security Role? Management sets security policy, and only management can balance costs of a security system against the risk of security threats. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-35

36 Elements of Information Systems Security— NIST Handbook Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-36

37 Management specifies goals of security program and assets to be protected. Statement designates a department for managing security program and documents. Specifies how enforcement of security programs and policies will be ensured. General statement of organization’s security program Personal use of computers at work and email privacy. Issue-specific policy What customer data from order-entry system will be sold or shared with other organizations? What policies govern design and operation of systems that process employee data? Addressing such policies are part of standard systems development process. System-specific policy What Are the Elements of a Security Policy? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-37

38 Risk—likelihood of an adverse occurrence Threats not managed directly, but security consequences limited by creating a backup processing facility at a remote location. Can reduce risks, but at a cost. Management responsibility to decide how much to spend, or how much risk to assume. Uncertainty ---lack of knowledge especially about chance of occurrence or risk of an outcome or event An earthquake could devastate a corporate data center built on a fault that no one knew about. An employee finds a way to steal inventory using a vulnerability in corporate website that no expert knew existed. How Is Risk Managed? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-38

39 Risk Assessment Factors 12-39 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall AssetsConsequences ThreatsLikelihood SafeguardsProbable loss Vulnerability

40 Given probable loss from risk assessment, senior management must decide what to do Some assets can be protected by inexpensive and easily implemented safeguards Some vulnerabilities expensive to eliminate, and management must determine if costs of safeguard worth benefit of probable loss reduction Risk-Management Decisions Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-40

41 Legal requirements to protect customer data. Gramm-Leach-Bliley (GLB) Act (1999) protects consumer financial data stored by financial institutions. Privacy Act of 1974 provides protections to individuals regarding records maintained by U.S. government. Health Insurance Portability and Accountability Act (HIPAA) (1996) gives individuals right to access health data created by doctors and other health-care providers. HIPAA sets rules and limits on who can read and receive your health information. Privacy Principles of the Australian Privacy Act of 1988 covers government, health-care data, and records maintained by businesses with revenues in excess of AU$3 million. Ethics Guide: Security Privacy Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-41

42 Do Dell, Amazon.com, the airlines, and other e-commerce businesses have a legal requirement to protect their customers’ credit card data? Apparently not—at least not in United States. However, online retailers have an ethical requirement to protect a customer’s credit card and other data. Retailers have a strong business reason to protect customer data. A substantial loss of credit card data would have detrimental effects on sales and brand reputation. No federal law prohibits U.S. Government from buying information from data accumulators. Ethics Guide: Security Privacy Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-42

43 State law or university policy may govern records, but no federal law does. Most universities consider it their responsibility to provide public access to graduation records. Anyone can determine when you graduated, your degree and major. What about your class work? What about papers you write, answers you give on exams? What about email you send to your professor? They are not protected by federal law, and probably not protected by state law. If your professor cites your work in research, it is subject to copyright law, but not privacy law. What you write is no longer your personal data, it belongs to the academic community. What requirements does your university have on data it maintains about you? Ethics Guide: Security Privacy Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-43

44 Firewall logs DBMS log-in records Web server logs Activity log analyses In-house and external security professionals Security testing How did the problem occur? Investigation of incidents Indication of potential vulnerability and needed corrective actions Learn from incidences Review and update security and safeguard policies Security Monitoring Functions Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-44

45 Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within firewall. DBMS products produce logs of successful and failed log ins. Web servers produce logs of web activities. Operating systems in personal computers can produce logs of log ins and firewall activities. Activity log analyses Use in-house personnel and outside security consultants to conduct testing Security testing Investigating and learning from security incident Security Monitoring Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-45

46 Q6: How Should Organizations Respond to Security Incidents? Backup processing centers in geographically removed site Create backups for critical resources Contract with “backup site” provider Hot site provides all equipment needed to continue operations there Cold site provides space but you have set up and install equipment www.ragingwire.com/managed_services?=recovery Periodically train and rehearse cutover of operations Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-46

47 12-47 Disaster-Recovery Backup Sites Disaster ―Substantial loss of infrastructure caused by acts of nature, crime, or terrorism Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Appropriate location Fire-resistant buildings Avoid Places prone to floods, earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents, unobtrusive buildings, basements, backrooms, physical perimeter

48 Incident-Response Plan Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-48

49 Computer Security Institute surveyComputer Security Institute survey (2009) http://gocsi.comhttp://gocsi.com (registration required) Only 144 of 522 responding organizations provided cost of loss data (2009) Financial fraud had highest average incident cost of $463,100 and losses due to bots averaged $345,600 Some losses are difficult to quantify. What is the loss of a denial of service attack on a website? If website unavailable for 24 hours, what potential sales, prospects, or employees have been lost? What reputation problem was created for organization? Q7: What Is the Extent of Computer Crime? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-49

50 Percentage of Security Incidents Insert Figure 12-16 here (new) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-50

51 Number of virus attacks steadily decreased, indicating success of antivirus programs. Financial fraud remained relatively stable, affecting approximately 12% of respondents. Laptop theft declined from around 70% in 1999 to 44% in 2008. Financial fraud had highest average incident cost— $463,100—and losses due to bots averaged $345,600. Security Incident Trends Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-51

52 Skill level of cat-and-mouse activity is likely to increase substantially. Increased security in operating systems and other software, improved security procedures and employee training will make it harder and harder for a lone hacker to find some vulnerability to exploit. Q8: 2021? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-52

53 Next challenges likely to be iPhones, iPads, and other mobile devices. Security on these needs to be improved. Organized criminals, primarily bot herders, terrorists or elements of renegade governments, inflicting a new type of cyber warfare on other nations  Trojan horse called Zeus v3 emptied accounts of thousands of British bank customers Cyber warfare among nations Number of computer security jobs to increase by 27% by 2016 Q8: 2021? (cont’d) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-53

54 Employees who never change password or use some simpleton word like “Sesame” or “MyDogSpot” or something equally absurd. Notes with passwords in top drawer of desks. If you enter a system with a readily available password, is that even breaking in? Or is it more like opening a door with a key you were given? Management should stop talking about security risk assurance and start talking about and enforcing real security. Guide: Security Assurance, Hah! Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-54

55 Stay alert to new technology-based opportunities Watch for “second wave” opportunities Enroll in a database class or systems development class, security class, even if you’re not an IS major Look for novel applications of IS technology in emerging business environment Guide: The Final, Final Word Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-55

56 Active Review Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2021? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-56

Download ppt "Information Security Management Using MIS 4e Chapter 12."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Information Security Management by David Kroenke

Information Security Management by David Kroenke
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management David Kroenke.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
© 2007 Prentice Hall, Inc.1 Using Management Information Systems David Kroenke Information Security Management.

© 2007 Prentice Hall, Inc.1 Using Management Information Systems David Kroenke Information Security Management.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Information Security Management

Information Security Management
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Chapter 12 Information Security Management

Chapter 12 Information Security Management
Information Security Policies and Standards

Information Security Policies and Standards

Similar presentations

Ads by Google